Making Memory Account Accountable: Analyzing and Detecting Memory Missing-account bugs for Container Platforms

Yutian Yang, Wenbo Shen, Xun Xie, Kangjie Lu, Mingsen Wang, Tianyu Zhou, Chenggang Qin, Wang Yu, Kui Ren

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Linux kernel introduces the memory control group (memcg) to account and confine memory usage at the process-level. Due to its flexibility and efficiency, memcg has been widely adopted by container platforms and has become a fundamental technique. While being critical, memory accounting is prone to missing-account bugs due to the diverse memory accounting interfaces and the massive amount of allocation/free paths. To our knowledge, there is still no systematic analysis against the memory missing-account problem, with respect to its security impacts, detection, etc. In this paper, we present the first systematic study on the memory missing-account problem. We first perform an in-depth analysis of its exploitability and security impacts on container platforms. We then develop a tool named MANTA (short for Memory AccouNTing Analyzer), which combines both static and dynamic analysis techniques to detect and validate memory missing-account bugs automatically. Our analysis shows that all container runtimes, including runC and Kata container, are vulnerable to memory missing-account-based attacks. Moreover, memory missing-account can be exploited to attack the Docker, the CaaS, and the FaaS platforms, leading to memory exhaustion, which crashes individual node or even the whole cluster. Our tool reports 53 exploitable memory missing-account bugs, 37 of which were confirmed by kernel developers with the corresponding patches submitted, and two new CVEs are assigned. Through the in-depth analysis, automated detection, the reported bugs and the submitted patches, we believe our research improves the correctness and security of memory accounting for container platforms.

Original languageEnglish (US)
Title of host publicationProceedings - 38th Annual Computer Security Applications Conference, ACSAC 2022
PublisherAssociation for Computing Machinery
Number of pages12
ISBN (Electronic)9781450397599
StatePublished - Dec 5 2022
Externally publishedYes
Event38th Annual Computer Security Applications Conference, ACSAC 2022 - Austin, United States
Duration: Dec 5 2022Dec 9 2022

Publication series

NameACM International Conference Proceeding Series


Conference38th Annual Computer Security Applications Conference, ACSAC 2022
Country/TerritoryUnited States

Bibliographical note

Funding Information:
The authors would like to thank all reviewers for insightful comments. This work is partially supported by the National Natural Science Foundation of China (Grants No. 62002317), by the National Key R&D Program of China (Grant No. 2020AAA0107700), by the Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang (Grant No. 2018R01005), and by the Ant Group Funds for Security Research.

Publisher Copyright:
© 2022 ACM.


  • Cloud infrastructure
  • DoS attack
  • Linux kernel
  • memory accounting
  • missing-account


Dive into the research topics of 'Making Memory Account Accountable: Analyzing and Detecting Memory Missing-account bugs for Container Platforms'. Together they form a unique fingerprint.

Cite this